WannaCry Ransomware

There have been recent widespread reports concerning an emerging malware campaign known as WannaCry. So far, we’ve seen reported infections in 99 countries. Cyber-security firm Avast said it had seen 75,000 cases of the ransomware around the world. Kaspersky is reporting 45,000 attacks in 74 countries (with Russia most badly affected). Both of these are likely to be seeing just a portion of the overall attack.

The WannaCry ransomware can enter your network either via eMail of HTTP/HTTPS download links. Once in the network, it has the ability to spread horizontally over the LAN/DMZ by exploiting a SMB vulnerability (codenamed “EternalBlue”) made public as part of the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14th, 2017 (MS17-010).

The malware used in the attacks encrypts files, and adds .WCRY to the file extension of files encrypted. It also drops a decrypt tool, changes wallpaper, and displays a notice to pay bitcoins for the decryption key. Initial variants requested US$300, but recently this has been increased to US$600 in Bitcoin.

The file extensions that the malware is targeting contain certain clusters of formats including:

Network Box has released several signatures to protect against this, as well as generic heuristic protection. Some of the threat names seen include:

Trojan-Ransom.Win32.Gen.djd

Trojan-Ransom.Win32.Scatter.tr

Trojan-Ransom.Win32.Zapchast.i

PDM:Trojan.Win32.Generic

Trojan.Win64.EquationDrug.gen

Trojan-Ransom.Win32.Wanna.a through Trojan-Ransom.Win32.Wanna.q

We continue to see new variants on an hourly basis and are issuing signatures using the Trojan-Ransom.Win32.Wanna.* prefix namespace. We’ve also released IDS, IPS, and INFECTEDLAN signatures to be able to detect, block and alert on infections within the network.

The malware uses the TOR network and the following domains:

57g7spgrzlojinas.onion

76jdd2ir2embyv47.onion

cwwnhwhlz52maqm7.onion

gx7ekbenv2riucmf.onion

sqjolphimrr7jqw6.onion

xxlvbrloxvriy2c5.onion

Based on the severity and impact of this attack, Network Box Security Response makes the following recommendations:

Block access to the TOR network. Network Box 5 including policy control options for controlling the TOR network, and we recommend that those be deployed and enabled.

Make sure that all hosts are running and have enabled endpoint security solutions.

Ensure that the official patch (MS17-010) from Microsoft, which closes the affected SMB Server vulnerability used in this attack, is installed on all your systems.

Isolate incoming laptops and ensure that they (a) have been patched with MS17-010, (b) have endpoint security solutions installed, enabled, and running, and (c) conduct a manual scan to ensure they are clean – before connection to your network.

So far, it seems that the multi-engine, multi-level, approach that Network Box uses is keeping this at bay for our customers. However, we’ve seen a large increase in both heuristic and WannaCry-specific blocks in recent hours and Network Box Security Response is keeping a close eye on the situation.